!92 fix CVE-2019-14584

From: @huiyingc Reviewed-by: @yezengruan Signed-off-by: @yezengruan
2022-09-29 02:53:45 +00:00 · 2022-09-29 02:53:45 +00:00 · c74f841895
commit c74f841895
parent dfccd31fa3 3af2a142f4
2 changed files with 66 additions and 1 deletions
--- a/0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
+++ b/0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
@ -0,0 +1,61 @@
+From 26442d11e620a9e81c019a24a4ff38441c64ba10 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 25 Apr 2019 23:42:16 +0800
+Subject: [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
+
+AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
+signed authenticode pkcs#7 data. when this successfully returns, a type
+check is done by calling PKCS7_type_is_signed() and then
+Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
+blob that successfully decodes and have d2i_PKCS7() return a valid pointer
+and have PKCS7_type_is_signed() also return success  but have Pkcs7->d.sign
+be a NULL pointer.
+
+Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
+pkcs7 structs it does the following:
+- call PKCS7_type_is_signed()
+- call PKCS7_get_detached()
+Looking into how PKCS7_get_detatched() is implemented, it checks to see if
+p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
+
+As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
+- Add call to PKS7_get_detached() to existing error handling
+
+Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
+Cc: Guomin Jiang <guomin.jiang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
+---
+ CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+index 2772b1e2be..3c2d14a88b 100644
+--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+@@ -9,7 +9,7 @@
+   AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
+   data structure.
+ 
+-Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2020, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -100,7 +100,7 @@ AuthenticodeVerify (
+   //
+   // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
+   //
+-  if (!PKCS7_type_is_signed (Pkcs7)) {
+  if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
+     goto _Exit;
+   }
+ 
+-- 
+2.27.0
+
--- a/edk2.spec
+++ b/edk2.spec
@ -5,7 +5,7 @@

 Name: edk2
 Version: %{stable_date}
-Release: 8
+Release: 9
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@ -39,6 +39,7 @@ Patch0024: 0022-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch
 Patch0025: 0023-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch
 Patch0026: 0024-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch
 Patch0027: 0025-SecurityPkg-Add-references-to-header-and-inf-files-t.patch
+Patch0028: 0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch

 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2

@ -234,6 +235,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif

 %changelog
+* Thu Sep 29 2022 chenhuiying<chenhuiying4@huawei.com> - 202002-9
+* fix CVE-2019-14584
+
 * Fri Jan 28 2022 Jinhua Cao<caojinhua1@huawei.com> - 202002-8
 - fix CVE-2021-38576